"Dealing with phishing attacks is no lighthearted matter, but preventing one before it happens can be. Researchers at Carnegie Mellon University (CMU) developed a Flash-based online game called Anti-Phishing Phil its creators hope will raise awareness about the scourge of phishing by making learning about prevention fun.

CMU researchers say more traditional anti-phishing measures such as eBay's spoof e-mail tutorial or even the FTC's phishing prevention guide are excellent but are often ignored by Web surfers. CMU researchers says its' Anti-Phishing Phil game is more apt to be used by Web surfers and therefore is a more effective tool in promoting safe surfing.

Go Phish

As a tiny fish in the big-bad ocean in Anti-Phishing Phil you swim around and eat legit Web addresses or reject phishy ones. You can also ask your "father" for advice. For every URL you devour or reject, an end-of-round synopsis explains why the URL was legit or a scam. Additionally, good ol' dad will school you between each round offering anti-phishing tips such as one which says plug questionable URLs into Google to see if they turn up authentic sites.

The game is simplistic. But despite its cartoon-ish style, Anti-Phishing Phil is a serious attempt to prevent Web users from falling for some of the most common phishing scams out there.

The Phil Effect

Developed by CMU's Usable Privacy and Security Laboratory, the game coincides with a CMU study (PDF) that found playing Anti-Phishing Phil was more effective at teaching people not to bite a phishing lure than traditional anti-phishing measures.

The CMU study consisted of showing two groups of people real and fake URLs and asking each group to determine the real ones. One group was trained by Anti-Phishing Phil and the other by more traditional anti-phishing training methods.

According to CMU user education is key to preventing phishing attacks. Researchers state people are often reluctant to read tutorials or training materials, such as eBay's spoof email tutorial or even the FTC's phishing prevention guide. Researchers are careful to point out both eBay and FTC's anti-phishing efforts are surprisingly effective, but only when people actually read them.

In the end, Anti-Phishing Phil hopes to be "an effective approach to user education," say researchers. CMU's CyLab will detail its entire study on eCrime research at a summit early next month."